Time to rein in app-mad employees

Jul 4, 2017

Malicious unmanned third party cloud applications downloaded onto desktops and devices are exposing enterprise networks to security issues with increasing frequency. Yet, many companies aren’t exercising appropriate control over the apps that employees are using.
This is despite robust tools being available to block, monitor and control the use of third party apps.
According to Richard Broeke, GM at managed IT security services company Securicom, an enterprise’s cloud based infrastructures become more vulnerable with each and every third party connected application that employees introduce into the environment.
“These apps, once granted access by users via open authentication, are able to communicate quite freely with the corporate cloud as well as software-as-a-service (SaaS) platforms. Once they are able to access the network, the apps can view, delete, externalize and store corporate data.
“Alarmingly, some are even capable of acting on behalf of users. What we are finding is that a lot of companies do not know how many apps have access to their corporate infrastructure, which ones pose a risk, or what those risks are,” he says.
An analysis of connected third party cloud applications across a sample group of 900 organizations representing a range of industries in 2016 showed that at least 27% of the apps introduced by employees into enterprise environments posed a high security risk.
The number of third party apps is also growing rapidly. There were about 129 000 unique applications observed at the beginning of 2016. By the end of October, that number had grown to 222 000. The number of applications has increased approximately 11 times since 2014.
According to Broeke, file sharing apps, instant messaging tools, remote printing apps, and even photo editing tools are examples of the kinds of apps that employees are downloading for work and personal use onto the very same endpoints and devices they also use to store and share business information.
“This obviously comes with the risk of exposure of critical and confidential business information as well as malware,” he says.
Measures can be put in place to identify unsanctioned apps and enforce corporate policies regarding the use of cloud resources. In fact, with the right technologies, companies can make a selection of applications available to employees without compromising company infrastructure or data.
“To prevent employees from using a diversity of apps which all do the same thing, companies can implement policies and technologies which allow certain, credible and tested ones while blocking other tools. This limits the number of unmanned applications at play in the organisation,” advises Broeke, adding that companies don’t have to have a complete blanket ban on the use of third party apps.
He also offers this advice:
* Educate your employees on the risks of using unsanctioned apps and what information is or isn’t okay to share or store in third party apps.
* Conduct an analysis to identify what apps your employees are using and why. Then investigate whether there are more efficient and safer options that could be authorized and managed.
* Create an in house directory of company approved apps to allow employees to find and use the apps that they find useful while also reducing the unsanctioned use of unapproved apps.
* Most enterprise versions of cloud based apps offer some kind of directory services that enable IT to integrate with employees’ existing user passwords. This would give the IT team control over the new apps.